Technical Field
This disclosure relates generally to web application security.
Background of the Related Art
Today, most organizations depend on web-based software and systems to run their business processes, conduct transactions with suppliers, and deliver sophisticated services to customers. Unfortunately, many organizations invest little to no effort in ensuring that those applications are secure. Web-based systems can compromise the overall security of organizations by introducing vulnerabilities that hackers can use to gain access to confidential company information or customer data. For example, HTTP-borne attacks can spring up out of nowhere, and their success or failure often hinges on the preparedness of the intended victim to repel the attack. One particularly effective attack exploits a previously unknown and undisclosed vulnerability. These are termed zero-day attacks. The success (or failure) of such attacks is inversely related to the speed of execution of the victim in reacting and marshalling resources to respond.
Modern web delivery infrastructure comprise a multitude of different devices all acting in concert to provide the desired functionality. Generally speaking, the delivery infrastructure includes a self-managed portion of the computing facilities—usually termed “core”—and an outsourced portion—usually termed “cloud.” One specific function that is acquired over cloud providers is a Content Delivery Network, or CDN, which leverages a service provider's geographical dispersal along with unified command-and-control facilities. This dispersal allows for content to be staged geographically close to requesting end users and therefore to achieve significant throughput increases on a web application. Given this model, servers in the CDN may be the first point of contact between the end-user and the web application. CDNs are very effective, but due to their size and geographical dispersal, configuration of the network may be time-consuming. In particular, reconfiguring devices that are located away from the core is difficult, and thus counterattacks on certain vulnerabilities (such as zero-day attacks that originate over HTTP) may be harder to address when they are first encountered at the edge of the network.